rpms
/
quota
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c8'
${ noResults }
quota/SOURCES/quota-4.04-warnquota-Check-...

77 lines
3.3 KiB
Raw Permalink Blame History Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

From eeef53917864600e0f5ac42ce5c3d884967012a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 5 Feb 2018 10:31:47 +0100
Subject: [PATCH 1/2] warnquota: Check snprintf() for overflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
GCC 8 with GNU libc 2.27 prerelease warns:
gcc -DHAVE_CONFIG_H -I. -g -O2 -Wall -fPIC -I/usr/include/tirpc -c -o warnquota.o warnquota.c
warnquota.c: In function lookup_user:
warnquota.c:415:29: warning: %s directive output may be truncated writing up to 2047 bytes into a region of size 255 [-Wformat-truncation=]
snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr, user);
^~
warnquota.c:415:2: note: snprintf output 4 or more bytes (assuming 2051) into a destination of size 256
snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr, user);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
warnquota.c: In function warn_quota:
warnquota.c:896:51: warning: %s directive output may be truncated writing up to 2047 bytes into a region of size 2041 [-Wformat-truncation=]
snprintf(config->ldap_uri, CNF_BUFFER, "ldap://%s:%d", config->ldap_host, config->ldap_port);
^~ ~~~~~~~~~~~~~~~~~
warnquota.c:896:4: note: snprintf output between 10 and 2067 bytes into a destination of size 2048
snprintf(config->ldap_uri, CNF_BUFFER, "ldap://%s:%d", config->ldap_host, config->ldap_port);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is patch fixes it by catching the cases when snprintf() truncates and
reporting an error.
Perfect fix would fall back into dynamically allocated buffers but
I think that would make these corner case too complicated provided
nobody had yet complained about them.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
warnquota.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/warnquota.c b/warnquota.c
index 073c45e..bc11055 100644
--- a/warnquota.c
+++ b/warnquota.c
@@ -412,7 +412,13 @@ static char *lookup_user(struct configparams *config, char *user)
}
/* search for the offender_name in ldap */
- snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr, user);
+ if (256 <= snprintf(searchbuf, 256, "(%s=%s)", config->ldap_search_attr,
+ user)) {
+ errstr(_("Could not format LDAP search filter for %s user and "
+ "%s search attribute due to excessive length.\n"),
+ user, config->ldap_search_attr);
+ return NULL;
+ }
ret = ldap_search_ext_s(ldapconn,
config->ldap_basedn, LDAP_SCOPE_SUBTREE,
searchbuf, NULL, 0, NULL, NULL, NULL,
@@ -893,7 +899,14 @@ cc_parse_err:
if (config->use_ldap_mail)
{
if (!config->ldap_uri[0]) {
- snprintf(config->ldap_uri, CNF_BUFFER, "ldap://%s:%d", config->ldap_host, config->ldap_port);
+ if (CNF_BUFFER <= snprintf(config->ldap_uri, CNF_BUFFER,
+ "ldap://%s:%d", config->ldap_host,
+ config->ldap_port)) {
+ errstr(_("Could not format LDAP URI because "
+ "it's longer than %d bytes.\n"),
+ CNF_BUFFER);
+ return -1;
+ }
errstr(_("LDAP library version >= 2.3 detected. Please use LDAP_URI instead of hostname and port.\nGenerated URI %s\n"), config->ldap_uri);
}
}
--
2.13.6
Reference in new issue View Git Blame Copy Permalink